Clean Desk Policy: Use it to Help Stop Visual Hacking in its Tracks

A recent study has put the spotlight on ‘visual hacking’ – and visual hacking controls such as the Clean Desk Policy.

Visual hacking is when someone literally steals information visually – and it is an under-addressed threat in the workplace, according to the 3M Visual Hacking Experiment study conducted by the Ponemon Institute last year.

The study found that in nearly nine out of 10 tries, a ‘white hat hacker’ was able to visually steal sensitive information from the workplace.

A white hat hacker is a computer security expert that does penetration testing. For the study, he pretended to be a temporary or part-time worker and walked through offices of various companies looking for sensitive information to visually hack. He looked for information on desks, screens and other locations,used a smart phone to take pictures of confidential information displayed on computer screens, and took business documents labeled ‘confidential’.

As it turned out, unprotected devices provided the most information and while it was often just employee login credentials, “a hacker only needs one piece of valuable information to unlock a large-scale data breach,” said Larry Ponemon in an online story.

The study also identified effective visual hacking controls such as employee training, having a ‘suspicious reporting’ process, using privacy filters, and implementing a Clean Desk Policy.

Lock laptops and tablets, and use password protected screen savers. Implement a mobile device policy that includes secure storage of smart phones and USB sticks too.

Don’t leave post-it notes containing passwords and other confidential information at work areas and computers. Never leave notebooks and day timers open and unattended. During the Ponemon study an average of five pieces of information were visually hacked per trial.

Don’t forget other vulnerable areas in the workplace. Clear all printer and fax machines of papers as soon as they’re printed. In the study, 18% of hacked information was taken from printer bins, copiers and fax machines.

Have a system in place to make sure information is not left behind in meeting rooms, etc.

When away from the desk for a while, ensure that all confidential information in hard copy or electronic format, is not visible and/or locked away. Turn off device screens too, recommends the Visual Privacy Advisory Council. (Employees should have lockable storage boxes and desks.) At the end of the day shut computers down completely.

Place documents that are no longer needed into locked consoles for secure shredding – not in open garbage or recycling bins.

Shred-it® is a Stericycle solution.North American Shred-it locations are NAID Certified for mobile document destruction, adhering to the stringent security practices and procedures established by the National Association for Information Destruction.